Tequila Botnet Leads to Phishing Attack

WRITTEN BY

Danielle Anne Veluz

Background of the Attack

A new phishing attack that originated
from Mexico
takes advantage of the controversial news about an allegedly missing
four-year-old girl, Paulette Gebara Farah, who was later found dead in her own
bedroom.This attack was brought about
by a Mexican botnet trying to steal banking/financial-related information
from users.

Frequently Asked
Questions

How does this threat get into users' systems?

This threat may arrive when users click URLs hosted on
fake websites with news articles about four-year-old Farah. The page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm,
contains a related news article about Farah. When a user accesses this page, a
fake dialog box pops up and requests the user to download and install Adobe
Flash Player.

The malware can also arrive via USB devices as well as via MSN Messenger. The botnet sends out messages that either contain the file itself (as an
attachment of sorts) or links that go to copies of the malware.

What happens in this attack?

In this attack, users are instructed to download and install Adobe Flash Player when prompted by the fake dialog box on the malicious site.
Clicking Run leads to the download of video-de-la-mama-de-paulette.exe, the client program of a bot detected
by Trend Micro as TSPY_MEXBANK.A.

Once the executable file video-de-la-mama-de-paulette.exe
is executed on the affected system, the bot connects to the bot server
to retrieve necessary information. This server displays the total
number of zombies and a list of the compromised computers. ID numbers, client
names, and executed actions are included in the list of zombies as well.

Unlike the older, more established botnet families, this
botnet has a fairly comprehensive feature set. Each feature is placed in its
own "module," which the botnet herder can configure one by one. It
even has the option to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a
backdoor) on a bot, and to remove the bot from the botnet.

The pharming module in the command-and-control (C&C) server enables the botnet
to target Mexican users for phishing. The botnet targets PayPal's local site
and Bancomer, Mexico's largest financial institution.

Why is the attack noteworthy?

Though the botnet has recently been taken down on June 7, 2010, this attack is noteworthy due to its phishing capabilities,
which tricks PayPal and Bancomer users into giving out sensitive personal
information. PayPal currently has
more than 150 million accounts in 190 countries and regions while Bancomer
serves over 11 million customers and accounts for 30% of the total revenue of
Banco Bilbao Vizcaya Argentaria (BBVA) worldwide, making it the biggest bank of
the group outside Spain.

Because of the botnet's comprehensive feature set, the
pharming module allows identity theft from PayPal and Bancomer users. Spoofed
email messages from the supposedly legitimate companies urge the recipient to
click links to update their personal profiles or to carry out some transaction. The
link then takes the victims to the fake websites where the financial
information they entered is directly routed to the scammer.

Aside from this, the Tequila botnet can also download files
from various malicious URLs either via HTTP or FTP. It is also important to
note that both ZBOT information stealers as well as FAKEAV malware have been spotted
being dropped by this new family.

The botnet also enables a site to be repeatedly loaded along
with that site’s advertisements. In effect, cybercriminals use this to raise
the traffic to their own sites, increasing the payments made by advertising
networks such as Google’s AdSense.

So what can I do to protect my computer?

It is important that users exercise caution when opening email
messages and when clicking URLs. Since the malware perpetrators are constantly
finding new ways to attack users, users are advised to practice safe computing habits.

Be wary of phishing pages that purport to be legitimate
websites, as these are primarily designed to fool unwitting users into handing
over their personal information. Clicking links on emails that come from
unknown senders is one of the easiest ways to fall prey to similar attacks.

Non-Trend Micro product users can also stay protected via HouseCall,
a free tool that identifies and removes all kinds of viruses, Trojans, worms,
unwanted browser plug-ins, and other malware from affected systems.

From the Field: Expert Insights

"The common misconception about botnets is that
they have global coverage. The Tequila botnet reminds us about botnets'
capability for local coverage wherein bots are segmented by country, company, or specific group of people. In this case, the main target was Mexico. The
secondary target was Chile
for information theft (the botnet's pharming module), malware distribution, and
to increase page hits for websites.

Recently, the owners themselves have taken down
the botnet as the C&C server has gone offline. As of June 7, 2010, the owners themselves have taken down the botnet as the C&C server has gone offline. We have not seen any new
activity out since then although we are continuing to monitor the now-orphaned
bots for any new activity."